Spam, phishing and online frauds have been around since the very beginnings of the Internet; all ISPs have been dealing with them for a long time. This is why the TES guidelines rather focus on more recent and less known threats, such as mailbox cracking and email interception; to prevent abuses in general, we suggest you to follow the appropriate best practices from the M3AAWG.
However, there is some basic advice that we would like to summarize.
First of all, ISPs should add to all their email servers a valid anti-spam and anti-malware filtering solution, and ensure that all messages going through their email service, both incoming and outgoing, pass through the filter. There is ample choice of solutions, free and commercial.
Incoming messages that look like spam should be marked so, and possibly moved into a separate folder in the user’s mailbox; users should still be free to review their spam, in case of filtering mistakes, but phishing messages should be marked separately from spam or even (depending on the level of certainty reached by the filtering system) rejected altogether. Your filter should also implement SPF, DKIM and DMARC verifications to determine whether to clear, mark as dubious, or reject messages; and should filter out executable attachments such as EXE files or JS scripts.
If you also provide your users with a webmail interface, this interface should mark spam clearly; especially, messages that look like phishing, if not rejected altogether, should at least be clearly marked with a prominent warning and shown with all non-textual content disabled. Also, the webmail interface should never load images, run scripts or open attachments embedded in messages, especially from unknown and unvalidated sources, without an explicit action by the user.
To combat malware, you should also run an anti-malware filter in your recursive domain name servers – the ones that the browsers of your users will query to connect to websites. If a user still receives a phishing message and clicks on a malicious link, the DNS anti-malware filter may be able to intercept the request and prevent the connection from happening.
Finally, you should support and educate your users. Your customer support must be prepared to detect and address user requests pertaining to phishing and malware. Your newsletter could include articles on how to detect fraudulent messages, or why avoid installing untrusted software from a random website. Any effort in education will later reduce problems and costs.
You will find more details on these solutions in the M3AAWG’s anti-phishing best practices.